p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

beginning_php thread: open_basedir restriction


Message #1 by spam@k... on Fri, 13 Sep 2002 17:29:46 -0500
My opendir() code is getting tripped by something called an open_basedir restriction. I can't figure out
what that is, though. This is what is says on www.php.net:

"open_basedir: Limit the files that can be opened by PHP to the specified directory-tree. When a script tries to open a file with,
for example, fopen or gzopen, the location of the file is checked. When the file is outside the specified directory-tree, PHP will
refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. The special value
. indicates that the directory in which the script is stored will be used as base-directory. Under Windows, separate the directories
with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent
directories are now automatically inherited. The restriction specified with open_basedir is actually a prefix, not a directory name.
This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to
restrict access to only the specified directory, end with a slash. For!
 example: "open_basedir = /dir/incl/" Note: Support for multiple directories was added in 3.0.7.  The default is to allow all files
to be opened."

I can't make heads or tails out of that. What does it mean? 

What I want is my main file to include a config file. I thought I'd get clever and, if the include failed, have the script keep
looking for the config file, rather like a Mac will look all over for the System Folder on startup. This is the code I tried: 


	$configError = @ include_once("mcConfig.php");
	if (!$configError) {
		$allDirs = array();
		$thisDir = @ opendir("./");
		while (false !== ($entry = readdir($thisDir))) { 
		        if (is_dir($entry) && $entry != "." && $entry != "..") $allDirs[] = $entry;
		}
		closedir($thisDir);
	print_r($allDirs);
		for ($i=0; $i < count($allDirs); $i++) {
			$address = $allDirs[$i];
			$address .= "/";
			$thisDir = @opendir($address);
			while (false !== ($entry = readdir($thisDir))) { 
		        	if ($entry == "mcConfig.php") $configError = @include_once("mcConfig.php");
			}
			closedir($thisDir);
		}
	}
	if (!$configError) $configError = @ include_once("../mcConfig.php");
	if (!$configError) $configError = @ include_once("../../mcConfig.php");
	if (!$configError) $configError = "configNotLoaded";


The print_r() was for debugging. 

I'm getting an error "open_basedir restriction: the file is in the wrong directory." 

What the hell? Can anyone interpret this into English? 





Message #2 by "Nikolai Devereaux" <yomama@u...> on Fri, 13 Sep 2002 16:18:58 -0700
It means that you're attempting to include a file from a directory that PHP
is restricted access to.

Take, for example, this directory structure:

/home/you/public_html/

if open_basedir is set to /home/you/, then your PHP scripts can open ANY
file in any directory rooted at /home/you/.

You can't, however, include anything from /home/me/ or /home/ or /tmp...

The main loop area of your script looks decent enough, since it only looks
in the directories at or below the current working directory.  It's on the
next couple lines that things get shady.  When you do one (or both) of
these:

  include_once("../mcConfig.php");
  include_once("../../mcConfig.php");

You're trying to include  /home/you/mcConfig.php and /home/mcConfig.php,
respectively.  One (if not both) of these are probably beneath the allowed
base_dir.


Hope this makes sense...

Nik

Message #3 by spam@k... on Sat, 14 Sep 2002 13:40:37 -0500
Makes lots of sense. Thanks for the answer. It would seem this host doesn't let you hide config files
outside of the web directory. That was a piece of security advice that they often give for Phorum, and I was going to do the same
with my software. But I guess this hosting company won't allow it. 


------------------------------------------------
On Fri, 13 Sep 2002 16:18:58 -0700, "Nikolai Devereaux" <yomama@u...> wrote:

> 
> It means that you're attempting to include a file from a directory that PHP
> is restricted access to.
> 
> Take, for example, this directory structure:
> 
> /home/you/public_html/
> 
> if open_basedir is set to /home/you/, then your PHP scripts can open ANY
> file in any directory rooted at /home/you/.
> 
> You can't, however, include anything from /home/me/ or /home/ or /tmp...
> 
> The main loop area of your script looks decent enough, since it only looks
> in the directories at or below the current working directory.  It's on the
> next couple lines that things get shady.  When you do one (or both) of
> these:
> 
>   include_once("../mcConfig.php");
>   include_once("../../mcConfig.php");
> 
> You're trying to include  /home/you/mcConfig.php and /home/mcConfig.php,
> respectively.  One (if not both) of these are probably beneath the allowed
> base_dir.
> 
> 
> Hope this makes sense...
> 
> Nik
> 
> 
> 

  Return to Index